From: Meidinger Chris (chris.meidinger@badenit.de)
Date: Thu Mar 04 2004 - 06:23:55 EST
Hi all,
if this is a production server, the symptom is almost unimaginable. I have
been unable to reproduce the behavior except by shutting down the network
cards, doing an nbtstat, then restarting them and doing it again. If I
disable netbios over tcp/ip, then I get the following excerpt:*
(* I am preceding the cmd.exe output with #, for clarity.
also, all of these tests are being done on win2k3 enterprise
server, without exchange 2003 on it. It is entirely possible
that the results would look different on an exchange server,
however, I doubt it)
# Administrator@flytrap / $ nbtstat -A 10.53.2.69
#
# Local Area Connection:
# Node IpAddress: [10.53.2.69] Scope Id: []
#
# Host Not Found
#
# Local Area Connection 2:
# Node IpAddress: [0.0.0.0] Scope Id: []
#
# Host Not Found
No matter how many connections I build, I cannot get any names in that
table. (Which makes sense, seeing as nbt is disabled)
Assuming that NetBios is not disabled, then the 'Remote Machine Name Table'
(nbtstat -c / nbtstat -A ${IP_ADDR} will show it) always includes at least
the following entries:
# Administrator@flytrap / $ nbtstat -A 10.53.2.69
#
# Local Area Connection:
# Node IpAddress: [10.53.2.69] Scope Id: []
#
# NetBIOS Remote Machine Name Table
#
# Name Type Status
# ---------------------------------------------
# FLYTRAP <00> UNIQUE Registered
# FLYTRAP <20> UNIQUE Registered
# HONEYNET <00> GROUP Registered
# HONEYNET <1E> GROUP Registered
# HONEYNET <1D> UNIQUE Registered
# ..__MSBROWSE__.<01> GROUP Registered
#
# MAC Address = 00-04-75-AF-93-7B
#
#
# Local Area Connection 2:
# Node IpAddress: [0.0.0.0] Scope Id: []
#
# Host not found.
As I mentioned yesterday, the 0x00 and 0x20 entries are from the workstation
and server services. The 0x1e and 0x1d are the domain/workgroup. (In an NT
Domain these can include 0x1b and 0x1c as well and I think even 0x1a. Don't
be alarmed if your 0x1* entries are different.) I am not aware of any
windows hardening technique (I am NOT a windows super-guru, so it is
entirely possible that such techniques exist, or are even common practice)
which shuts off the workstation AND server services, while leaving netbios
itself active.
Even if exchange is in a DMZ somewhere, and cannot talk to any other windows
system, it MUST have its own workgroup (in BR's case EXCHANGE, as evidenced
by the 0x1b, 0x1c and 0x1e entries) because it's wintendo, so that will also
not explain why the entries are missing.
Where is this all leading? I think that
1) the exchange server may have serious problems if its nbtcache
doesn't even know its own name
2) I need to see the results of nbtstat -c, nbtstat -S, nbtstat -n
and nbtstat -r to have an idea of what's b0rked
3) if this is some hardening technique I would be grateful to anyone
who can provide a link or an explanation of what's happening to this guy
4) if this host is multihomed (say like 3 NIC's) I could imagine
that you are pulling nbtstat -A on the wrong one. Remember: nbtstat -A is
designed to see REMOTE name tables. The c, S, n and r switches are for local
stuff. It IS possible that the exchange server is somehow unwilling to give
that information out to just anyone without a connection. I am also not sure
how nbtstat behaves when called by an unprivledged user. Another interesting
question would be to know what user you are using, if it is the true
administrator (uid 500) or if it is someone else.
So, to you BR, can you provide more information? I had been assuming that
you were local (with telnet) on the exchange, and had been running nbtstat
that way. If your last post should be interpreted to mean that you were
running nbtstat -A through the firewall, then more ports must be open. You
can't run netbios commands over smtp or pop3. I suspect your analysis is
right that a session with one port was opening the firewall completely
between those two hosts.
Questions:
1 Are you local on the box?
2 Can you give us the output of the above mentioned netbios commands, before
and after you build a telnet connection*?
3 What is the firewall config telling you, are you hitting the exchange
through the firewall, or are you local?
*By 'telnet connection' do you mean a connection to the telnet service, or a
connection using telnet to the listeners on sockets 25 and 110?
4 Do you have any idea how exotically this exchange is configured?
5 What is the output of nbtstat -A ${FW_IP} ?
Maybe you are hitting static port forwarding or something like that, and it
just looks like you're getting to the exchange. (Because you modified the
output, I cannot be 100% sure based on your nbtstat output what I'm seeing)
Ok guys, I never meant to write a book here, so I'll stop now,
Cheers,
Chris
-----Original Message-----
From: xterrabart@comcast.net [mailto:xterrabart@comcast.net]
Sent: Wednesday, March 03, 2004 4:50 PM
To: pen-test@securityfocus.com
Subject: Exchange 2003
Here is my interpretation of BR's original post since there seems to be some
confusion on what the scenario is...
I believe they are explaining that they attempted to run an NBTSTAT against
one of their Exchange servers and received a Host Not Found error, but ran
it again after making a telnet connection to the Exchange server on 25/tcp,
and received the correct information. The question was if anyone else has
experienced this?
I hope this better explains their question...That is if I am correct in my
understanding of it.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT